Two questions:
1. Do you have acess to your phpyAdmin?
2. The site allows new users to register?
MAC
Hey Mac, thanks for your reply. Yes to number 1, no to number 2
OK
I’m assuming that they changed you pass, right?
If so, do you have any other user account to your site? even a non-administrator, but someone you can reach.
MAC
No, they didn’t change my pass. I can access my admin page as well as my database from within cpanel and all my stuff is still there. It’s just the front page that displays their propaganda, and my browser warns me that there is a trojan om the site.
Ah so you were attacked by nice hackers!
They probably just changed the index.php of you WP. Re-upload a new index.php or, as you have your ands in it, upgrade to the most recent version. This should take care of it.
Also change the FTP/server login data.
Please let me know the result.
MAC 🙂
I get a MDAC injection warning from AVG upon visiting your site. If FMacastro’s solution doesn’t work, try uploading a fresh copy of a theme and activate it. If the problem persists then at least you will know it isn’t due to code inserted in your theme’s files.
I tried to change theme, and the problem persisted, complete with trojan warning from my browser. It is strangely enough only on the first(home) page (regardless of theme). If I go directly to the permalink of a post, it displays correctly!
Could they have put some kind of a redirect in the .htaccess file?
Ooooohhhhh….just figured it out. They had put and index.http file in the root, right next to the index.php file. Deleted and it and everything seems back to normal. Could they have done more. And can I do more than to change my wordpress admin password?
Install and scan your active theme with this plugin:
http://wordpress.org/extend/plugins/antivirus/
It will scan your files to see if any virus codes were left. Next install this incredible plugin:
http://www.seoegghead.com/software/wordpress-firewall.seo
I know one person whose blog used to get hacked once a week until this plugin put an end to all the sql injection attacks. And aside from changing the wordpress password, also change the username from the default admin to something else (this needs to be done via phpmyadmin. Speaking of which change the password to that as well and your ftp credentials. You may also consider changing the default wordpress table prefix from “_wp” to something else.
Also if they did it through a file they put in your root directory then that means it was a ftp hack. So the first thing you should do is change your ftp password and username and use secure ftp from now on.
You should *always* notify your web host, especially if you are in a shared hosting environment. Do not delete any files from your server until your host has had a chance to examine them. Or better still, ZIP them up and send them to your host with a trouble/support ticket.
Often, it’s not YOUR site through which the hacker gained access. On a shared server, you are only as secure as the most lax person using the space so …. it could have been anyone’s account on that server that allowed the hacker access. But as always, to be safe, change ALL your account passwords.
And YES, TransPersonal‘s recommendation to change the default database prefix is excellent advice and one more way to lock down your WP installation. 🙂
Good luck.
Thanks guys, my wp install should now be locked down! Appreciate all the help!
